A popular point of attack by hackers is HTML forms which takes user input where variables (such as password length) are again set on the client side. For this reason, most savvy Web application designers don’t set critical variables in HTML very much anymore (although we still find them, as we’ll discuss throughout this book). In our upcoming overview of Web browsers in this chapter, we’ll also note a few tags that can be used to exploit client-side security issues.

HTML over HTTP is considered the lingua franca of the Web today. Thus, we’ll spend more time talking about HTTP in this book than HTML by far. Ironically, despite the elegance and early influence of HTML, it is being superseded by other technologies. This is primarily due to one of HTML’s most obvious drawbacks: it is a static format that cannot be altered on the fly to suit the constantly shifting needs of end users. Most Web sites today use scripting technologies to generate content on the fly (these will be discussed in the upcoming section “The Web Application”).

Finally, the ascendance of another markup language on the Internet has marked a decline in the use of HTML, and may eventually supersede it entirely. Although very similar to HTML in its use of tags to define document elements, the eXtensible Markup Language (XML) is becoming the universal format for structuring data on the Web due to its extensibility and flexibility to represent data of all types. XML is well on its way to becoming the new lingua franca of the Web, particularly in the arena of Web services, which we will cover briefly later in this chapter and at length in Chapter 10. OK, enough about HTML. Let’s move on to the basic component of Web applications that’s probably not likely to change anytime soon, HTTP.

Transport: HTTP
As we’ve mentioned, Web applications are largely defined by their use of HTTP as the medium of communication between client and server. HTTP version 1.0 is a relatively simple, stateless, ASCII-based protocol defined in RFC 1945 (version 1.1 is covered in RFC 2616). It typically operates over TCP port 80, but can exist on any unused port. Each of its characteristics—its simplicity, statelessness, text base, TCP 80 operation—is worth examining briefly since each is so central to the (in)security of the protocol.

HTTP’s simplicity derives from its limited set of basic capabilities, request and response. HTTP defines a mechanism to request a resource, and the server returns that resource if it is able. Resources are called Uniform Resource Identifiers (URIs) and they can range from static text pages to dynamic streaming video content. Here is a simple example of an HTTP GET request and a server’s HTTP 200 OK response, demonstrated using the netcat tool. First, the client (in this case, netcat) connects to the server on TCP 80. Then, a simple request for the URI “/test.html” is made, followed by two carriage returns. The server responds with a code indicating the resource was successfully retrieved, and forwards the resource’s data to the client.

C:\>nc -vv www.test.com 80
www.test.com [10.124.72.30] 80 (http) open
GET /test.html HTTP/1.0
HTTP/1.1 200 OK
Date: Mon, 04 Feb 2002 01:33:20 GMT
Server: Apache/1.3.22 (Unix)
Connection: close
Content-Type: text/html
<HTML><HEAD><TITLE>TEST.COM</TITLE>etc.

HTTP is thus like a hacker’s dream—there is no need to understand cryptic syntax in order to generate requests, and likewise decipher the context of responses. Practically anyone can become a fairly proficient HTTP hacker with very little effort.

Furthermore, HTTP is stateless—no concept of session state is maintained by the protocol itself. That is, if you request a resource and receive a valid response, then request another, the server regards this as a wholly separate and unique request. It does not maintain anything like a session or otherwise attempt to maintain the integrity of a link with the client. This also comes in handy for hackers, as there is no need to plan multistage attacks to emulate intricate session maintenance mechanisms—a single request can bring a Web server or application to its knees.

To get this complete E-book on how to hack a website, web applications and internet security call or whatsapp me on 08060130891. E-book is sold for N2,000 for the first 10 persons to order, after which it will be sold for N3000. Hurry up.

menor2525:
A popular point of attack by hackers is HTML forms which takes user input where variables (such as password length) are again set on the client side. For this reason, most savvy Web application designers don’t set critical variables in HTML very much anymore (although we still find them, as we’ll discuss throughout this book). In our upcoming overview of Web browsers in this chapter, we’ll also note a few tags that can be used to exploit client-side security issues.

HTML over HTTP is considered the lingua franca of the Web today. Thus, we’ll spend more time talking about HTTP in this book than HTML by far. Ironically, despite the elegance and early influence of HTML, it is being superseded by other technologies. This is primarily due to one of HTML’s most obvious drawbacks: it is a static format that cannot be altered on the fly to suit the constantly shifting needs of end users. Most Web sites today use scripting technologies to generate content on the fly (these will be discussed in the upcoming section “The Web Application”).

Finally, the ascendance of another markup language on the Internet has marked a decline in the use of HTML, and may eventually supersede it entirely. Although very similar to HTML in its use of tags to define document elements, the eXtensible Markup Language (XML) is becoming the universal format for structuring data on the Web due to its extensibility and flexibility to represent data of all types. XML is well on its way to becoming the new lingua franca of the Web, particularly in the arena of Web services, which we will cover briefly later in this chapter and at length in Chapter 10. OK, enough about HTML. Let’s move on to the basic component of Web applications that’s probably not likely to change anytime soon, HTTP.

Transport: HTTP
As we’ve mentioned, Web applications are largely defined by their use of HTTP as the medium of communication between client and server. HTTP version 1.0 is a relatively simple, stateless, ASCII-based protocol defined in RFC 1945 (version 1.1 is covered in RFC 2616). It typically operates over TCP port 80, but can exist on any unused port. Each of its characteristics—its simplicity, statelessness, text base, TCP 80 operation—is worth examining briefly since each is so central to the (in)security of the protocol.

HTTP’s simplicity derives from its limited set of basic capabilities, request and response. HTTP defines a mechanism to request a resource, and the server returns that resource if it is able. Resources are called Uniform Resource Identifiers (URIs) and they can range from static text pages to dynamic streaming video content. Here is a simple example of an HTTP GET request and a server’s HTTP 200 OK response, demonstrated using the netcat tool. First, the client (in this case, netcat) connects to the server on TCP 80. Then, a simple request for the URI “/test.html” is made, followed by two carriage returns. The server responds with a code indicating the resource was successfully retrieved, and forwards the resource’s data to the client.

C:\>nc -vv www.test.com 80
www.test.com [10.124.72.30] 80 (http) open
GET /test.html HTTP/1.0
HTTP/1.1 200 OK
Date: Mon, 04 Feb 2002 01:33:20 GMT
Server: Apache/1.3.22 (Unix)
Connection: close
Content-Type: text/html
<HTML><HEAD><TITLE>TEST.COM</TITLE>etc.

HTTP is thus like a hacker’s dream—there is no need to understand cryptic syntax in order to generate requests, and likewise decipher the context of responses. Practically anyone can become a fairly proficient HTTP hacker with very little effort.

Furthermore, HTTP is stateless—no concept of session state is maintained by the protocol itself. That is, if you request a resource and receive a valid response, then request another, the server regards this as a wholly separate and unique request. It does not maintain anything like a session or otherwise attempt to maintain the integrity of a link with the client. This also comes in handy for hackers, as there is no need to plan multistage attacks to emulate intricate session maintenance mechanisms—a single request can bring a Web server or application to its knees.

To get this complete E-book on how to hack a website, web applications and internet security call or whatsapp me on 08060130891. E-book is sold for N2,000 for the first 10 persons to order, after which it will be sold for N3000. Hurry up.

what will you gain from hacking someone site